Ransomware is a class of malware that attempts to extort users by holding their computer or documents hostage. Ransomware often works by obfuscating the contents of user files through the use of strong encryption algorithms. Ransomware differs from other types of malware in that its effects are directly reversible only via the decryption keys held by a remote adversary. Victims have little recourse other than paying the attacker to reverse this process. Some attackers even enforce strict deadlines and host elaborate customer service sites to encourage victims to pay.
Combating ransomware is difficult for a number of reasons. First, this kind of malware is easy to create or obtain, and it elicits immediate returns that create lucrative opportunities for attackers. Second, the operations performed by such malware can be difficult to distinguish from those of benign software. Finally, because the target of malware attacks is often the “unsophisticated” user, best practices that can preserve user data, such as regular data backups, are unlikely to have been employed.
While this genre of malware has existed for well over a decade, its increasingly widespread use now causes tens of millions of dollars in consumer losses annually. As such, ransomware represents one of the most visible threats to end users. Furthermore, because developing new variants is trivial, ransomware is capable of evading many existing antivirus and intrusion detection systems. Accordingly, a solution to automatically protect users even in the face of previously unknown samples is needed.